Subodh KCSubodh KC/systems
let's talk →
Compliance Guide

Texas AI Law
TRAIGA (HB 149)

Texas is the first US state with a comprehensive AI law. TRAIGA takes effect January 1, 2026 — here's what your business needs to do.

Overview

What is the Texas Responsible AI Governance Act?

The Texas Responsible AI Governance Act (TRAIGA), enacted as House Bill 149, is a comprehensive state law regulating the development and deployment of artificial intelligence systems in Texas. It spans Chapters 551-554 of the Texas Business and Commerce Code, with cross-references to the Texas Data Privacy and Security Act (TDPSA), the Capture or Use of Biometric Identifier Act (CUBI), and the Texas Government Code.

TRAIGA establishes applicability criteria, defines prohibited AI practices, creates disclosure duties for governmental agencies and healthcare providers, sets enforcement authority with the Texas Attorney General, provides a 60-day cure period, and creates a regulatory sandbox program under Chapter 553.

Key Facts

  • Effective date: January 1, 2026
  • Enforcement: Texas Attorney General (exclusive)
  • Penalties: $10K-$12K curable, $80K-$200K uncurable
  • Cure period: 60 days after AG notice
  • Sandbox: Up to 36 months (Chapter 553)
  • Private right of action: None
Applicability

Does TRAIGA apply to you?

TRAIGA applies if your AI system meets the statutory definition and you have a Texas nexus. Three independent nexus tests — any one is sufficient.

Nexus Test 1

You promote, advertise, or conduct business in Texas.

Tex. Bus. & Com. Code § 551.002

Nexus Test 2

You produce a product or service used by Texas residents.

Tex. Bus. & Com. Code § 551.002

Nexus Test 3

You develop or deploy an AI system in Texas.

Tex. Bus. & Com. Code § 551.002

AI System Definition (§ 551.001)

TRAIGA defines an AI system as a machine-based system that, for explicit or implicit objectives, infers from the inputs it receives how to generate outputs that can influence physical or virtual environments. If your system does not meet this definition, TRAIGA may not apply.

Roles Under TRAIGA

Multiple roles may apply simultaneously. TRAIGA does not force a single role classification.

Developer — develops AI offered, sold, leased, or provided in Texas
Deployer — deploys AI for use in Texas
Governmental entity — state or political subdivision (excludes hospital districts and higher education)
Healthcare provider — licensed, registered, or certified individual
Controller — under TDPSA (Chapter 541)
Processor — under TDPSA (Chapter 541)
State agency — subject to AI inventory and reporting
Sandbox applicant — Chapter 553 participant
Chapter 552, Subchapter B

Prohibited AI Practices

TRAIGA prohibits specific AI practices. Each prohibition is tested independently using its exact statutory elements. Intent is central — disparate impact alone is insufficient.

Harmful Manipulation

Prohibits developing or deploying AI with intent to incite or encourage self-harm, harm to another, or criminal activity. The intent element is central — disparate impact alone is insufficient.

Tex. Bus. & Com. Code § 552.052

Social Scoring (Government Only)

Prohibits governmental entities from developing or deploying AI to evaluate or classify natural persons based on social behavior or personal characteristics, with intent to assign a social score causing detrimental treatment or rights infringement. Does not apply to non-governmental actors.

Tex. Bus. & Com. Code § 552.053

Constitutional Rights Impairment

Prohibits developing or deploying AI with the sole intent to impair, infringe, or violate a constitutional right. The sole intent element is critical — if the system has other primary purposes, this prohibition may not apply.

Tex. Bus. & Com. Code § 552.055

Unlawful Discrimination

Prohibits developing or deploying AI with intent to unlawfully discriminate against a protected class. Disparate impact alone does not satisfy the intent element, though other civil-rights laws may still apply. Narrow exceptions exist for regulated insurance entities (§ 552.056(d)) and federally insured financial institutions (§ 552.056(e)).

Tex. Bus. & Com. Code § 552.056

Sexual Content and Deepfakes

Prohibits specified intentional development or distribution of AI for unlawful sexual visual material, deepfake sexual content, or sexual text interaction imitating a child. Incorporates Texas Penal Code offenses and definitions.

Tex. Bus. & Com. Code § 552.057

Section 552.051

Disclosure Duties

TRAIGA creates mandatory disclosure obligations for governmental agencies and healthcare providers using AI systems.

Governmental Agencies

When a governmental agency offers an AI system intended to interact with consumers, disclosure is required before or at the time of interaction.

The disclosure must be:

  • Clear and conspicuous
  • In plain language
  • Free of dark patterns or manipulative design

If a hyperlink is used, it must satisfy the clear and conspicuous standard.

Tex. Bus. & Com. Code § 552.051(b)-(e)

Healthcare Providers

When a licensed, registered, or certified healthcare provider uses AI in relation to a service or treatment, disclosure is required by the first date of service.

In an emergency, disclosure must be provided as soon as reasonably possible — not necessarily by the first date of service.

The provider must document the disclosure date and recipient.

Tex. Bus. & Com. Code § 552.051(f)

Cross-Law Routing

Biometric Data and CUBI

If your AI system captures, stores, processes, or possesses biometric identifiers, TRAIGA creates a cross-law routing to the Capture or Use of Biometric Identifier Act (CUBI).

A CUBI violation under Section 503.001 is also a Section 552.054 violation under TRAIGA. The statutory definitions differ:

CUBI (§ 503.001) — narrower

Retina/iris scan, fingerprint, voiceprint, hand/face geometry record. Notice and consent required before commercial capture. Destruction within one year of purpose expiration.

TRAIGA (§ 552.054) — broader

Broader biometric data definition for government biometric provisions. A CUBI violation automatically triggers a § 552.054 violation.

AI training exemption caveat: The CUBI AI-training exemption is lost when the AI is used or deployed to uniquely identify a specific individual. A later commercial use of previously non-commercial biometric data may reactivate CUBI duties.

Enforcement

Penalties and Enforcement

The Texas Attorney General has exclusive enforcement authority. There is no private right of action under TRAIGA.

Violation TypePenalty RangeCure AvailableCitation
Curable violations$10,000 - $12,000 per violationYes — 60 days§ 552.105
Uncurable violations (prohibited practices)$80,000 - $200,000 per violationNo§ 552.105
Undeployed systemsNo penalty collectionN/A§ 552.105(f)

Enforcement Process

  1. AG receives complaint or identifies potential violation
  2. AG issues civil investigative demand (CID) or complaint
  3. 60-day cure period begins (for curable violations)
  4. If cured: no action with required written statement and documentation
  5. If not cured: AG pursues civil penalty

The AG may request detailed system documentation including purpose, intended use, deployment context, data types, metrics, limitations, monitoring, and safeguards.

Defense Strategy

NIST AI RMF Defense Pathway

TRAIGA uniquely provides a defense pathway for organizations that adopt the NIST AI RMF or NIST Generative AI Profile.

Under Section 552.105(e)(2)(D), substantial compliance with the current NIST Generative AI Profile or another recognized framework can support the internal-review discovery pathway. This is a defense candidate, not a certification or safe harbor.

How the defense pathway works:

  1. Adopt NIST AI RMF or NIST GenAI Profile and version-pin the framework
  2. Conduct a qualifying internal review using the framework
  3. The internal review discovers an issue through feedback, red teaming, agency guidance, or qualifying internal review
  4. Preserve the internal review documentation that discovered the issue
  5. If all conditions are met, the defendant may avoid liability

Important: NIST mapping produces a DEFENSE_CANDIDATE, not certification or safe-harbor approval. The internal review that actually discovered the issue must be preserved. Third-party misuse may also support a defense under listed conditions.

Chapter 553

Regulatory Sandbox

TRAIGA creates a regulatory sandbox program allowing participants to test AI systems under application-based approval.

The Chapter 553 sandbox program allows participants to test AI systems for up to 36 months under an application-based approval. Sandbox participants remain subject to non-waivable Chapter 552 Subchapter B prohibitions.

What the sandbox provides

  • Testing window up to 36 months
  • Application-based approval
  • Quarterly reporting requirements
  • Waiver of certain provisions

What the sandbox does NOT waive

  • Prohibited practices (§ 552.052-.057)
  • Disclosure duties (§ 552.051)
  • Biometric restrictions (§ 552.054)
  • AG enforcement authority
Related Texas Legislation

Companion Texas AI Laws

TRAIGA is part of a broader Texas AI legislative framework. These companion laws may apply alongside TRAIGA.

SB 1964 — Government AI Use

Amends the Texas Government Code Chapter 2054. Creates code of ethics compliance, minimum standards, impact assessment, and vendor obligations for government AI use.

Tex. Gov. Code Ch. 2054

SB 1188 — Healthcare AI

Amends the Texas Health and Safety Code Chapter 183. Creates EHR location, safeguards, AI review, and diagnostic disclosure duties for healthcare AI use.

Tex. Health & Safety Code Ch. 183

State Agency AI Inventory

State agencies must maintain AI inventory, conduct considered-use evaluations, operational reviews, and Sunset review evidence. Conditional funding provisions apply.

Tex. Gov. Code §§ 325.011, 2054.068, 2054.0965

TDPSA (Chapter 541)

TRAIGA amends TDPSA processor assistance where AI collects, stores, or processes personal data. Controller/processor applicability must be run separately under TDPSA.

Tex. Bus. & Com. Code § 541.104

Action Items

Texas AI Law Compliance Checklist

A practical checklist for preparing for TRAIGA compliance before the January 1, 2026 effective date.

Assess

Determine whether your system meets the § 551.001 AI system definition
Evaluate Texas nexus under all three § 551.002 tests
Classify all applicable roles (developer, deployer, governmental entity, healthcare provider, controller/processor)
Screen for Chapter 552 Subchapter B prohibited practices

Document

Maintain deployment records capable of generating AG evidence fields (purpose, intended use, deployment context, data types, metrics, limitations, monitoring, safeguards)
Document AI system version and objective inference mechanism
Record evidence quality (direct, asserted, inferred, unknown, fact conflict)
Preserve all internal review documentation

Implement

Adopt NIST AI RMF or NIST GenAI Profile and version-pin the framework
Implement disclosure mechanisms for governmental and healthcare AI use
Run CUBI biometric analysis if system captures biometric identifiers
Evaluate TDPSA controller/processor obligations if processing personal data

Monitor

Conduct qualifying internal reviews using the adopted framework
Establish feedback and red team channels for issue discovery
Track AG guidance and enforcement actions
Prepare 60-day cure response process and documentation templates
Free Resource

Get the Texas AI Law Compliance Checklist

Free Texas AI Law Compliance Checklist

A practical, printable checklist covering TRAIGA applicability tests, prohibited practices, disclosure duties, defense pathways, and companion laws — based on the HAIEC TRAIGA compliance engine.

No spam. Unsubscribe anytime.

Expertise

How Subodh KC Can Help

I co-founded HAIEC and built the TRAIGA compliance engine — a 9-section deterministic assessment wizard covering Chapters 551-554 of the Texas Business and Commerce Code.

TRAIGA Assessment

Walk through the 9-section applicability assessment covering nexus, roles, prohibited practices, disclosure duties, biometrics, enforcement, and defense posture.

NIST AI RMF Implementation

Implement the NIST AI RMF or GenAI Profile to establish the § 552.105(e)(2)(D) defense pathway. Version-pin your framework and preserve internal review documentation.

Evidence Architecture

Build audit-grade evidence generation pipelines that produce AG-ready documentation covering purpose, intended use, deployment context, data types, and monitoring.

Based in Dallas, Texas. Contact Subodh KC for TRAIGA compliance advisory, or explore advisory services.

FAQ

Frequently Asked Questions

What is the Texas AI law?

The Texas Responsible AI Governance Act (TRAIGA), enacted as House Bill 149, is a comprehensive state law regulating the development and deployment of artificial intelligence systems in Texas. It covers Chapters 551-554 of the Texas Business and Commerce Code and takes effect on January 1, 2026.

When does the Texas AI law take effect?

TRAIGA takes effect on January 1, 2026. Organizations developing, deploying, or offering AI systems with a Texas nexus should begin compliance preparations now, given the complexity of applicability assessments and documentation requirements.

Who enforces the Texas AI law?

The Texas Attorney General has exclusive enforcement authority over Chapter 552 violations. The AG can issue civil investigative demands, complaints, and pursue civil penalties. There is no private right of action under TRAIGA.

What are the penalties under the Texas AI law?

Curable violations carry civil penalties of $10,000 to $12,000 per violation. Uncurable violations of prohibited AI practices carry penalties of $80,000 to $200,000 per violation. The AG may not collect civil penalties for AI systems that have not been deployed.

Does the Texas AI law apply to my company?

TRAIGA applies if you have a "Texas nexus" — meaning any one of these is true: (1) you do business in Texas, (2) you produce a product or service used by Texas residents, or (3) you develop or deploy AI in Texas. Any one of these is enough. If you're not sure, an applicability assessment is worth doing before the January 2026 deadline.

Is there a cure period under the Texas AI law?

Yes. After receiving written notice from the AG, you have 60 days to cure the violation. If cured within 60 days with the required written statement and supporting documentation, no action is taken. This is more lenient than the EU AI Act, which has no cure period.

Can NIST AI RMF compliance help under the Texas AI law?

Yes. If you follow the NIST AI RMF or NIST Generative AI Profile in good faith, it can serve as a defense if you're ever investigated. It's not a safe harbor or certification — but it shows you took reasonable steps. The key: your internal review process must be the one that actually caught the issue.

Does the Texas AI law have a regulatory sandbox?

Yes. Chapter 553 establishes a regulatory sandbox program allowing participants to test AI systems for up to 36 months under an application-based approval. Sandbox participants remain subject to non-waivable Chapter 552 Subchapter B prohibitions.

Prepare for TRAIGA Compliance

The January 1, 2026 deadline is approaching. Get a TRAIGA applicability assessment or compliance roadmap from Subodh KC — co-founder of the HAIEC TRAIGA compliance engine.

This guide is for informational purposes and does not constitute legal advice. For jurisdiction-specific compliance guidance, contact Subodh KC for advisory services. Last updated: July 2026. Legal version: TRAIGA-HAIEC-v3.0-ERRATA-1.

Let's Talk →